This module exploits a command injection vulnerability in the Collectd graphing functionality in LibreNMS. The `to` and `from` parameters used to define the range for a graph are sanitized using the `mysqli_escape_real_string()` function, which permits backticks. These parameters are used as part of a shell command that gets executed via the `passthru()` function, which can result in code execution.
The vulnerability allows an attacker to pull admin info from the database. The exploit uses UNION SELECT statement to retrieve the username and password from the admin table. The vulnerable page is fullnews.php and the payload is www.site.com/fullnews.php?id=-1/**/UNION/**/ALL/**/SELECT/**/1,2,concat(username,char(58),password),4,5/**/FROM/**/admin/*
This exploit allows an attacker to inject SQL queries into the 'signup.php' page of the Online Appointment Booking System, leading to unauthorized access to the database.
The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.
The vulnerability exists in the admin_page_open.php and client_page_open.php files in the Form Tools 1.5.0b software. The vulnerability allows an attacker to include remote files by manipulating the 'g_root_dir' parameter. By exploiting this vulnerability, an attacker can execute malicious code hosted on a remote server.
This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection. A valid SNMP read-write community is required to exploit this vulnerability. The following devices are known to be affected by this issue: Crestron Airmedia AM-100 <= version 1.5.0.4, Crestron Airmedia AM-101 <= version 2.5.0.12, Awind WiPG-1600w <= version 2.0.1.8, Awind WiPG-2000d <= version 2.1.6.2, Barco wePresent 2000 <= version 2.1.5.7, Newline Trucast 2 <= version 2.1.0.5, Newline Trucast 3 <= version 2.1.3.7.
The vulnerability allows an attacker to include remote files in the vulnerable software. The vulnerable files in Oreon are './oreon-1.4/www/include/monitoring/engine/MakeXML.php' and './oreon-1.4/www/include/monitoring/engine/MakeXML4statusCounter.php'. The attack can be performed by appending a malicious URL to the vulnerable file. The exploit code is provided in the text.
A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user. RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected. RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected. RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.
This module abuses a known default password on Cisco UCS Director. The 'scpuser' has the password of 'scpuser', and allows an attacker to login to the virtual appliance via SSH. This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0. Note that Cisco also mentions in their advisory that their IMC Supervisor and UCS Director Express are also affected by these vulnerabilities, but this module was not tested with those products.
This module attempts to gain root privileges by blindly injecting into the session user's running shell processes and executing commands by calling `system()`, in the hope that the process has valid cached sudo tokens with root privileges. The system must have gdb installed and permit ptrace. This module has been tested successfully on Debian 9.8 (x64) and CentOS 7.4.1708 (x64).
Services By CQR